diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-07-28 17:39:14 +0200 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-07-28 17:58:55 +0200 |
| commit | fd5bbdb4363cbd2935b0d5a37c4e7355f45e61a4 (patch) | |
| tree | b64114d7bed5b1e26daedcafce68ca08a4af8c90 /nixos/modules/virtualisation/containers.nix | |
| parent | bf3edfbb3c75bc9cd640871fb4e0e9107dafaea1 (diff) | |
| download | nixlib-fd5bbdb4363cbd2935b0d5a37c4e7355f45e61a4.tar nixlib-fd5bbdb4363cbd2935b0d5a37c4e7355f45e61a4.tar.gz nixlib-fd5bbdb4363cbd2935b0d5a37c4e7355f45e61a4.tar.bz2 nixlib-fd5bbdb4363cbd2935b0d5a37c4e7355f45e61a4.tar.lz nixlib-fd5bbdb4363cbd2935b0d5a37c4e7355f45e61a4.tar.xz nixlib-fd5bbdb4363cbd2935b0d5a37c4e7355f45e61a4.tar.zst nixlib-fd5bbdb4363cbd2935b0d5a37c4e7355f45e61a4.zip | |
nixos-containers: Set DevicePolicy=closed
This makes the container a bit more secure, by preventing root creating device nodes to access the host file system, for instance. (Reference: systemd-nspawn@.service in systemd.)
Diffstat (limited to 'nixos/modules/virtualisation/containers.nix')
| -rw-r--r-- | nixos/modules/virtualisation/containers.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 036e54e3847f..8cfe90e67d17 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -415,6 +415,8 @@ in # after the timeout). So send an ignored signal. KillMode = "mixed"; KillSignal = "WINCH"; + + DevicePolicy = "closed"; }; }; in { |